In our Bogus QR Codes in Restaurants blog, we explained how QR codes have become ingrained in our daily lives, accelerated by the COVID-19 pandemic, where keeping our distance was key. We also outlined that the extensive use of QR codes can come with its dangers, those dangers being malicious actors, who have found ways to exploit QR codes for their fraudulent activities. Unfortunately, 4 years on from the 2020 pandemic, this is still very much the case.
We have all heard horror stories of innocent people scanning what they don’t realise is a fake QR code to order their food in a restaurant, pay for a parking ticket, or even download an app, and lo and behold it’s a scam and they have sent money or personal information to a bad actor.
You may not think twice when scanning a QR code, especially if sitting in a restaurant, but these bad actors are targeting victims in common places that we all visit. Remaining vigilant in all scenarios is key.
In this blog, we are going to explore some of these common places where you may find fake QR codes and how to spot if a QR code is legitimate or not. QR scams are also known as quishing or QR phishing.
In the UK, fake QR codes can appear in various common places. Here are some areas where people should be cautious:
- Restaurants and Cafes: Fake QR codes can be placed over genuine ones on menus or tables, leading to phishing sites.
- Public Transport: Posters and advertisements on buses, trains, and in stations can have tampered QR codes.
- Parking Machines: Fake QR codes can be placed on or near payment machines, tricking users into paying a scammer.
- Tourist Attractions: QR codes on information boards, brochures, or tickets can be altered to mislead tourists.
- Retail Shops: Fake QR codes can be placed on promotional posters, product labels, or receipts.
- Public Noticeboards: Community boards in places like libraries, community centres, or supermarkets can have fake QR codes for events or services.
- Street Posters and Flyers: Promotional materials for events or sales posted on the streets can have counterfeit QR codes.
- Emails and Text Messages: Scammers can send messages containing fake QR codes pretending to be from legitimate businesses or services.
- Cash Machines: QR codes on cash points for customer service or promotional offers can be faked.
- Public WiFi: QR codes in public places offering free WiFi can redirect users to malicious websites.
People should be vigilant and verify the source before scanning QR codes in these situations. Spotting a fake QR code can be challenging, but there are several steps you can take to minimise the risk of falling victim to a scam:
Check for Tampering - Look closely at the QR code to see if it has been placed over another code or if it looks like a sticker.
Verify the Source - Ensure the QR code is from a trusted and legitimate source. If you're unsure, ask a staff member or look for official signage.
Inspect the URL - When scanning a QR code, preview the URL before proceeding. Legitimate QR code scanners and many phone cameras will show the URL. If it looks suspicious or unfamiliar, do not proceed.
Use a Secure QR Code Scanner - Some QR code scanning apps offer additional security features, such as checking the URL against known malicious sites.
Look for Spelling Mistakes - Be wary of QR codes that direct you to URLs with spelling errors or unusual domain names.
Avoid Public QR Codes - Be cautious with QR codes in public places, as these can be easily tampered with. If possible, verify the QR code through an official website or app.
Verify the Context - Consider the context in which the QR code is presented. If it seems out of place or unrelated to the context, it might be fake.
Check for HTTPS - Ensure the website URL starts with "https://" which indicates a secure connection. Avoid sites that only use "http://".
Use Anti-virus Software - Some antivirus apps can detect malicious websites or links, providing an additional layer of protection.
By following these steps, you can better protect yourself from potential scams involving fake QR codes. If you encounter a suspicious QR code, report it to the relevant authorities or the establishment where you found it to help prevent others from falling victim to this cyber attack too.